When you are working in a team, you tend to have a bunch of passwords that you need to share, such as the credentials that your app needs to start for example. Or maybe you need to share an account for some service.

Everybody kind of knows that posting their own passwords in the open is not a great idea. Yet, team passwords are often not subjected to the same courtesy. These are some practices that I have observed recently:

Storing the passwords on Post-It notes that everybody in the whole office can easily check.

Writing the the password directly on the source code.

Sending the passwords around via unencrypted email.

When I see this, I can only think of this quote from Scott Adams:

The goal of every engineer is to retire without getting blamed for a major catastrophe.

Leaking sensitive information is something that I personally don’t want to attach to my resume, so I have been preaching a lot lately about storing them somewhere safe. There is a tool which I like for that, which is gopass. I want to talk about setting it up and using it.

What are you even talking about?

Quoting the website of the project, gopass is a rewrite of the pass password manager in Go. In other words, it is a password manager that can be easily used by multiple people. It is very command line friendly, which allows you to include it in scripts. Very easy to install as well with brew. We will be installing GPG as well, since that is what actually provides the security:

brew install gopass gpg2

GPG keys are still a PITA

gopass itself is quite easy to use, but the encryption is done with GPG. Everybody who has dealt with that knows that it is everything but user friendly. One shortcut is to use Keybase. This is a tool that makes creating keys significantly easier, as explained here.

This is a rough summary of the steps you need to follow in order to get your GPG up and running with Keybase for OS X:

Install Keybase:

brew cask install keybase

Open the app and create an account

Create a key through the CLI:

keybase login
keybase pgp gen

You will be asked if you want to push the secret key to keybase.io. That is more convenient, but you have to be aware that this puts your key in somebody’s else server.

Also it is a good idea to set a passphrase when the key is exported to the GnuPG keychain.

They you just created is not trusted by default. You do this with gpg itself:

Adding/Removing people

Once you have the whole thing set up, you can add your fellow developers to the repository. For every developer, you need to import her GPG key and trust it, otherwise will fail when trying to add new recipients

Note that if you don’t add them to the recipients list first, cloning the repo will result in an error.

Using passwords from the command line

You know the best part about this? Any shell script can be integrated with this quite easily. I have a script at work that runs a test, and it prompts you for two keys every time it runs. I did this like ten times, and then I got sick of it and rewrote the script to read them from gopass directly.

gopass show team-store/somewebsite/password

Is that quality of life or what? Notice that if you are running the script on a CI pipeline, you can inject the variables beforehand, and the script will work both locally and there, without having to install gopass anywhere else and without changing the script.

Summary

In summary, there is no reason to have these passwords laying around when they can be safely stored in something like gopass. You know who has access, and can remove the keys when people leave the team. This of course does not fix the need to rotate the keys if somebody had access to them and now shouldn’t.

Alternatives

gopass is only one tool among many to deal with passwords. The point is not to use a concrete tool, but to become aware of the huge risk that you can incur by leaving passwords laying around. Here are some alternatives that can work as well:

KeePassX: Free an open source. The drawback is that there is only one master password for everybody.

1Password for teams: I haven’t used personally but it was used by some colleagues. It is not free, and the passwords end up in the cloud.